Column SECURED WITH label clause
Use the Column SECURED WITH label clause to provide label-based column-level security protection for a table by attaching a security label to the column. The label must be part of a security policy that the SECURITY POLICY clause attaches to the table.
This syntax fragment is part of the Column definition.
Element | Description | Restrictions | Syntax |
---|---|---|---|
label | Name of a security label | Must exist and must belong to the security policy that protects the table. | Identifier |
Usage
The Column security clause can add label-based column-level protection. This clause is valid only for tables that are protected by a security policy. For the CREATE TABLE syntax to associate a label-based security policy with a table, see SECURITY POLICY Clause.
The user who includes the Column SECURED WITH label clause in the CREATE TABLE statement must hold the DBSECADAM role.
The
security label can be the same label that protects other rows or columns
of the table, or it can be a different label of the same security
policy. The following restrictions apply to the SECURED WITH
clause:
- The column cannot be of data type IDSSECURITYLABEL.
- You must specify the label without the policy qualifier, rather than as policy.label.
- The label must be a label of the security policy that secures the table.
Example of creating a table with column-level protection
The following CREATE TABLE statement defines a protected table called Rigel with the following schema:
CREATE TABLE Rigel IF NOT EXISTS Rigel (Col1 NCHAR(134)COLUMN SECURED WITH LabelRW, Col2 DATE, Col3 CHAR(20), SECURITY POLICY company;
The column security clause for column Col1 provides column-level protection for the data stored in that column of the Rigel table by associating the security label LabelRW with column Col1. The SECURITY POLICY clause specifies the company security policy.
The CREATE TABLE statement in this example would fail if no security policy called company is defined in the database, or if the company policy exists, but no security label LabelRW is a component of the company security policy.
Example of creating a table with column-level and row-level protection
The following CREATE TABLE statement defines a protected table called Vega with the following schema:
CREATE TABLE Vega IF NOT EXISTS Vega (Col1 NCHAR(134)COLUMN SECURED WITH LabelRW, Col2 DATE, Col3 CHAR(20), Col4 IDSSECURITYLABEL DEFAULT LabelRW) SECURITY POLICY company;
The column security clause for column Col1 provides column-level protection for the data stored in that column of the Vega table by associating the security label LabelRW with column Col1.
The table also has row-level protection from the company security policy, whose label LabelRW is the default value of the IDSSECURITYLABEL data type of Col4. In this example, label LabelRW provides row-level protection in Col4, and column-level protection in Col1.
The label stored in column Col4 and the label securing column Col1 could be different security labels, but both must be labels of the same company security policy.
The CREATE TABLE statement in this example would fail if no security policy called company is defined in the database, or if the company policy exists, but no security label LabelRW is a component of the company security policy.